hi i got Thanku very much for help me
my query is:
index="uk" sourcetype="ukpro2" serviceType=1 message="Received * bytes from IP*"|rename time as time1,message as Request | join type="outer" audit[search index="uk" sourcetype="ukpro2" serviceType=1 message="Deleted m_pReceivingSocket"| rename time as time2, message as Responce ] | eval itime=strptime(time1,"%H:%M:%S.%3N") | eval ptime=strptime(time2,"%H:%M:%S.%3N") | eval TimeDiff=ptime -itime |where TimeDiff > 0 | bucket _time span=5m |stats avg(TimeDiff) min(TimeDiff),max(TimeDiff) by _time
this quey working for every 5 min
but only one problem is date are not present in log file so splunk take auto date so the output is change base on date differ
... View more